News in 2009

2009-12-28: release 0.7.2 of nss-pam-ldapd
This is an update for the 0.7 series that fixes some bugs and brings some
new functionality.
This should be a reasonably stable and well tested release.
A summary of the changes since 0.7.1:

some attributes may be mapped to a shell-like expression that expand
attributes from LDAP entries; this allows attributes overrides,
defaults and much more (as a result the passwdcn
attribute mapping has been removed because the gecos mapping is now
"${gecos:-$cn}" by default)

update the NSS module to follow the
change in Glibc
where the addr parameter of getnetbyaddr_r() was
changed from network-byte-order to host-byte-order

properly escape searches for uniqueMember attributes for
DN with a comma in an attribute value

2009-11-22: security advisory: problems with case-insensitive LDAP lookups
Versions of nss-ldapd (now called nss-pam-ldapd) before
0.6.11 do not filter the results from an LDAP search query to only return
case-sensitive matches (many LDAP search queries are case-insensitive).
This results in users which differ in name but with the same numeric userid
to exist on the system.
This can cause problems on systems where privileges are assigned to
users based on their username with case-sensitive matching.
One such place is in determining group membership (even in LDAP),
another is in netgroups. This allows users to successfully log in with an
incorrect name and have incorrect privileges assigned
(e.g. user logs in as Joe and is no longer in the group denyaccess).
This issue also exposes a problem in nscd (GNU C Library Name Service Cache
Daemon) which does not support multiple users with the same numeric userid.
This could cause invalid information being entered into the nscd cache
which could deny services to affected users (e.g. this is known to cause
problems for SSH usage and Kerberos).
In some configurations this can be exploited remotely (Apache serving
user's public_html directories, SSH server or other services that may
perform username lookups).
If you are affected by this problem but cannot upgrade to a more recent
release, you may want to review the
change that went
into the 0.6.11 release.
For Debian lenny an updated version 0.6.7.2 was made.
This problem also affects the
nss_ldap
module from PADL Software Pty Ltd and probably also the nssov overlay from
OpenLDAP's slapd. Similar
problems may also affect other software that perform LDAP lookups.
References:

2009-10-20: release 0.7.1 of nss-pam-ldapd
This is an update for the 0.7 release that fixes some bugs, improves
portability and brings some new functionality, all mainly in the PAM
functionality.
This should be a reasonably stable and well tested release with the PAM
module being reasonably complete.
A summary of the changes since 0.7.0:

2009-09-04: release 0.7.0 of nss-pam-ldapd
This is a new release that brings with it amongst other things a name
change of the software and a name change of the configuration file.
These changes were done to reflect the addition of the PAM module as a
standard part of the software.
The PAM module is still under development but should be mostly functional
for authentication purposes. Other than that this should be a reasonably
stable and well tested release.
A summary of the changes since 0.6.11:

rename software to nss-pam-ldapd to indicate that PAM module
is now a standard part of the software

the PAM module is now built by default (the configure script can be
instructed whether or not to build certain parts)

the default configuration file name has been changed to
/etc/nslcd.conf

the default values for bind_timelimit and
reconnect_maxsleeptime werelowered from 30 to 10 seconds

password hashes are no longer returned to non-root users (based on a
patch by Alexander V. Chernikov)

a pam_ldap(8) manual page was added

unknown options in the configuration file can now be ignored with a
new --disable-configfile-checking configure option

Get this release from the downloads section.
If you were using the svn version note that the repository name and path in
the repository have changed. Either check out using the new location or
update your repository with the following two commands:

2009-07-12: release 0.6.11 of nss-ldapd
This release fixes a number of bugs in the 0.6.10 and earlier releases
and adds a couple of functionality improvements.
This should be a reasonably stable and well tested release.
changes since 0.6.10:

fix user name to groups mapping (a bug in buffer checking in
initgroups() that was introduced in 0.6.9)

fix a possible buffer overflow with too many uidNumber or
gidNumber attributes (thanks to David Binderman for finding
this)

2009-06-14: nss-ldapd homepage moved
Since I have completed my study at the Delft University quite some time ago,
the nss-ldapd homepage has been moved to
https://arthurdejong.org/nss-ldapd/.
The contact email address has also been changed to arthur@arthurdejong.org.
The subversion repository and viewvc URLs have also changed (see the
downloads section for details).
If you were using the svn repository before you can do

2009-06-03: release 0.6.10 of nss-ldapd
This release fixes a number of bugs in the 0.6.9 and earlier releases.
This should be a reasonably stable and well tested release.
This release includes improvements to the experimental PAM module
introduced in 0.6.9 and adds basic LDAP authentication to nslcd. The PAM
module is still disabled by default.
It is expected that the 0.7 release will include the PAM module by default
at which point the software will probably be renamed to nss-pam-ldapd
(suggestions for a better name are welcome).
changes since 0.6.9:

implement searching through multiple search bases, based on a patch
by Leigh Wedding

fix a segmentation fault that could occur when using any of the
tls_* options with a string parameter

miscellaneous improvements to the experimental PAM module

implement PAM authentication function in the nslcd daemon

the code for reading and writing protocol entries between the NSS
module and the daemon was improved

2009-05-09: release 0.6.9 of nss-ldapd
This release fixes a number of bugs in the 0.6.8 and earlier releases.
This should be a reasonably stable and well tested release.
This release introduces an experimental PAM module contributed by Howard
Chu from the OpenLDAP project that works together with the nssov overlay
in slapd. Work is underway to complete the needed functionality in
nss-ldapd's nslcd process. With this release the PAM module is disabled by
default.
changes since 0.6.8:

produce more detailed logging in debug mode and allow multiple
-d options to be specified to also include logging from the
LDAP library

some LDAP configuration options are now initialized globally instead
of per connection which should fix problems with the
tls_reqcert option

documentation improvements for the NSLCD protocol used between the NSS
module and the nslcd server

imported the new PAM module from the OpenLDAP nssov tree by Howard Chu
(note that the PAM-related NSLCD protocol is not yet finalised and
this module is not built by default)

in the configure script allow disabling of building certain
components

fix a bug with writing alternate service names and add checks for
validity of passed buffer in NSS module

2009-03-22: release 0.6.8 of nss-ldapd (security update)
This release fixes a security problem in 0.6.7 and earlier releases in the
Debian package configuration. A similar problem could also affect other
users.
The nss-ldapd.conf that is installed by the Debian package was
created world-readable which could cause problems if the bindpw option is
used. This has been fixed in the Debian package but other users should check
the permissions of the nss-ldapd.conf file when the bindpw
option is used (warnings have been added to the manual page and sample
nss-ldapd.conf)
The CVE project has assigned id
CVE-2009-1073
to this problem.
This release also includes the following changes since 0.6.7:

clean the environment and set LDAPNOINIT to disable parsing
of LDAP configuration files (~/.ldaprc,
/etc/ldap/ldap.conf, etc)

remove sslpath option because it wasn't used

correctly set SSL/TLS options when using StartTLS

rename the tls_checkpeer option to tls_reqcert,
deprecating the old name and supporting all values that OpenLDAP
supports

allow backslashes in user and group names execpt as first or last
character

These pages contain no frames, blinking stuff, animated gifs, ads, trackers, do not require Javascript and are not optimised for any specific screen resolution or browser and should be standards compliant.